Re: pam_mkhomedirs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Rob Crittenden wrote:
> An IPA user reported this on our mailing list. He's getting SELinux
> permission failures from pam_mkhomedirs when he's trying to log into a
> machine for the first time as a user.
> 
> Is there an existing way to configure a system to handle this?
> 
> thanks
> 
> rob
> 
> 
> ------------------------------------------------------------------------
> 
> Subject:
> Re: [Freeipa-users] new freeipa user
> From:
> Natxo Asenjo <natxo.asenjo@xxxxxxxxx>
> Date:
> Thu, 26 Feb 2009 16:09:01 +0100
> To:
> freeipa-users@xxxxxxxxxx
> 
> To:
> freeipa-users@xxxxxxxxxx
> 
> 
> On Thu, Feb 26, 2009 at 4:20 AM, Rob Crittenden <rcritten@xxxxxxxxxx> wrote:
>> Natxo Asenjo wrote:
> 
>>> I have so far only run into a problem and that is the auto creation of
>>> home dirs on the firs login. I used the authenthication configuration
>>> gui from fedora10 on the ipaclient and checked the option to
>>> auto-create homedirs but that doesn't work. There is a selinux error:
>>>
>>> Feb 25 23:28:47 ipaclient01 setroubleshoot: SELinux is preventing sshd
>>> (sshd_t) "write" to ./home (home_root_t). For complete SELinux
>>> messages. run sealert -l 2f194ec1-0764-48b0-b66c-d84734105283
>>> apparently the pam_mkhomedir.so is not allowed to work with selinux.
>>> Any workarounds?
>> It would be helpful to see the sealert output for this error. We may be able
>> to include a generic fix in IPA, or pass this by the SELinux guys to see
>> what they think.
> 
> ok, the output of sealert -l 2f194ec1-0764-48b0-b66c-d84734105283
> 
> Summary:
> 
> SELinux is preventing sshd (sshd_t) "write" to ./home (home_root_t).
> 
> Detailed Description:
> 
> SELinux denied access requested by sshd. The current boolean settings do not
> allow this access. If you have not setup sshd to require this access this may
> signal an intrusion attempt. If you do intend this access you need to change the
> booleans on this system to allow the access.
> 
> Allowing Access:
> 
> Confined processes can be configured to to run requiring different access,
> SELinux provides booleans to allow you to turn on/off access as needed. The
> boolean allow_polyinstantiation is set incorrectly.
> Boolean Description:
> Allow login programs to use polyinstantiated directories.
> 
> 
> Fix Command:
> # setsebool -P allow_polyinstantiation 1
> 
> Additional Information:
> 
> Source Context                system_u:system_r:sshd_t:s0-s0:c0.c1023
> Target Context                system_u:object_r:home_root_t:s0
> Target Objects                ./home [ dir ]
> Source                        sshd
> Source Path                   /usr/sbin/sshd
> Port                          <Unknown>
> Host                          ipaclient01.virtual.local
> Source RPM Packages           openssh-server-5.1p1-3.fc10
> Target RPM Packages           filesystem-2.4.19-1.fc10
> Policy RPM                    selinux-policy-3.5.13-45.fc10
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   catchall_boolean
> Host Name                     ipaclient01.virtual.local
> Platform                      Linux ipaclient01.virtual.local
>                               2.6.27.15-170.2.24.fc10.x86_64 #1 SMP Wed Feb 11
>                               23:14:31 EST 2009 x86_64 x86_64
> Alert Count                   1
> First Seen                    Wed Feb 25 23:28:47 2009
> Last Seen                     Wed Feb 25 23:28:47 2009
> Local ID                      2f194ec1-0764-48b0-b66c-d84734105283
> Line Numbers
> 
> Raw Audit Messages
> 
> node=ipaclient01.virtual.local type=AVC msg=audit(1235600927.386:53): avc:  deni
> ed  { write } for  pid=3055 comm="sshd" name="home" dev=dm-0 ino=211745 scontext
> =system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t:
> s0 tclass=dir
> 
> node=ipaclient01.virtual.local type=SYSCALL msg=audit(1235600927.386:53): arch=c
> 000003e syscall=83 success=no exit=-13 a0=173bd66 a1=1ed a2=21 a3=6a6e657361632f
> 65 items=0 ppid=1870 pid=3055 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd"
>  subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
> 
> 
> so I run:
> # setsebool -P allow_polyinstantiation 1
> 
> And next time I tried login on the console through gdm:
> 
> Feb 26 15:41:53 ipaclient01 setroubleshoot: SELinux is preventing gdm-session-wo
> r (xdm_t) "write" to ./home (home_root_t). For complete SELinux messages. run se
> alert -l cf03e02d-4bdd-484d-bf6f-d70c553bdab8
> 
> running sealert -l cf03e02d-4bdd-484d-bf6f-d70c553bdab8 provides a
> similar output but one substitutes sshd for gdm als source, obviously.
> 
> There is another SElinux error in the log:
> 
> Feb 26 15:46:34 ipaclient01 setroubleshoot: SELinux is preventing gdm-session-wo
> r (xdm_t) "create" to ./casenjo (home_root_t). For complete SELinux messages. ru
> n sealert -l a104e0b3-0dc4-4dc7-ba6a-494b7ca070de
> 
> Summary:
> 
> SELinux is preventing gdm-session-wor (xdm_t) "create" to ./casenjo
> (home_root_t).
> 
> Detailed Description:
> 
> SELinux denied access requested by gdm-session-wor. It is not expected that this
> access is required by gdm-session-wor and this access may signal an intrusion
> attempt. It is also possible that the specific version or configuration of the
> application is causing it to require additional access.
> 
> Allowing Access:
> 
> Sometimes labeling problems can cause SELinux denials. You could try to restore
> the default system file context for ./casenjo,
> 
> restorecon -v './casenjo'
> 
> If this does not work, there is currently no automatic way to allow this access.
> Instead, you can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
> 
> Additional Information:
> 
> Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
> Target Context                system_u:object_r:home_root_t:s0
> Target Objects                ./casenjo [ dir ]
> Source                        gdm-session-wor
> Source Path                   /usr/libexec/gdm-session-worker
> Port                          <Unknown>
> Host                          ipaclient01.virtual.local
> Source RPM Packages           gdm-2.24.0-12.fc10
> Target RPM Packages
> Policy RPM                    selinux-policy-3.5.13-45.fc10
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   catchall_file
> Host Name                     ipaclient01.virtual.local
> Platform                      Linux ipaclient01.virtual.local
>                               2.6.27.15-170.2.24.fc10.x86_64 #1 SMP Wed Feb 11
>                               23:14:31 EST 2009 x86_64 x86_64
> Alert Count                   1
> First Seen                    Thu Feb 26 15:46:32 2009
> Last Seen                     Thu Feb 26 15:46:32 2009
> Local ID                      a104e0b3-0dc4-4dc7-ba6a-494b7ca070de
> Line Numbers
> 
> Raw Audit Messages
> 
> node=ipaclient01.virtual.local type=AVC msg=audit(1235659592.554:36): avc:  deni
> ed  { create } for  pid=4301 comm="gdm-session-wor" name="casenjo" scontext=syst
> em_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tcl
> ass=dir
> 
> node=ipaclient01.virtual.local type=SYSCALL msg=audit(1235659592.554:36): arch=c
> 000003e syscall=83 success=no exit=-13 a0=7f577ce13bb6 a1=1ed a2=21 a3=810101010
> 1010100 items=0 ppid=4174 pid=4301 auid=1100 uid=0 gid=1002 euid=0 suid=0 fsuid=
> 0 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4 comm="gdm-session-wor" exe="/u
> sr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(
> null)
> 
> 
> This time I cannot run restorecon -v './casenjo' because the folder
> ./casenjo simply does not exist., neither gdm nor sshd could
> autocreate them.
> 
> I'd very much rather that selinux stayed enabled, obviously.
> 
> Hope the output of sealert is helpful to you guys.
> 
> 
> 
> ------------------------------------------------------------------------
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Yes tell him don't use it?   :^)

A better option is oddjob-mkhomedir


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmsE10ACgkQrlYvE4MpobMRZwCfSKhiJ4+6kGrYb+PHzri9iF0+
AYUAn2n5gGACqcgf03UiKA2Iiu1bX6uv
=u7+b
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux